Analysis Overview
SHA256
9ff40de5a55aa6b5cf34c61acd52a26f77c6eb5cf1d464e0e651a046227a7b78
Threat Level: Known bad
The file CryptSvcser.rar was found to be: Known bad.
Malicious Activity Summary
Detects PlugX payload
PlugX
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-02-18 16:09
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win10-20240214-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41004200310041003400450033003400460031004100430038004100310030000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 4600
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 209 5060
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | 250.12.16.182.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:1900 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:443 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
Files
memory/4600-0-0x0000000003140000-0x0000000003240000-memory.dmp
memory/4600-2-0x0000000003100000-0x000000000312D000-memory.dmp
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
| MD5 | 89266366e2c712e8b47b2b9ed30d60b7 |
| SHA1 | a94bb0440fe6c0d7a6c102037561ffbe6203a251 |
| SHA256 | f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0 |
| SHA512 | 385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95 |
\ProgramData\Microsoft\CryptSvcser\expatai.dll
| MD5 | dd55071ced298687339566cbe9b23c40 |
| SHA1 | 1b5f760daab97658f7c0f7c28db35f10bde761bb |
| SHA256 | ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1 |
| SHA512 | ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8 |
C:\ProgramData\Microsoft\CryptSvcser\update.log
| MD5 | fc5100b1fc7e642bf76fdc3df1846df5 |
| SHA1 | 664d22bc60a7cd08b8ba5aee9f045fa21de719cb |
| SHA256 | 8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77 |
| SHA512 | 46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47 |
memory/4172-22-0x0000000002C40000-0x0000000002C6D000-memory.dmp
memory/1180-26-0x0000000001440000-0x000000000146D000-memory.dmp
memory/5060-28-0x0000000003200000-0x0000000003201000-memory.dmp
memory/5060-30-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/1180-32-0x0000000001440000-0x000000000146D000-memory.dmp
memory/5060-31-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/4600-35-0x0000000003100000-0x000000000312D000-memory.dmp
memory/5060-43-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/5060-44-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-46-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-45-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-47-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-50-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-51-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-52-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/5060-54-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/4172-55-0x0000000002C40000-0x0000000002C6D000-memory.dmp
memory/600-57-0x0000000002700000-0x000000000272D000-memory.dmp
memory/600-56-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/600-58-0x0000000002700000-0x000000000272D000-memory.dmp
memory/600-59-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/600-60-0x0000000002700000-0x000000000272D000-memory.dmp
memory/600-61-0x0000000002700000-0x000000000272D000-memory.dmp
memory/600-62-0x0000000002700000-0x000000000272D000-memory.dmp
memory/5060-63-0x0000000003580000-0x00000000035AD000-memory.dmp
memory/600-64-0x0000000002700000-0x000000000272D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win11-20240214-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003100410042004100360043004200360030004600390045004300460039000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 3676
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 209 4228
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | 250.12.16.182.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| US | 52.111.227.11:443 | tcp | |
| HK | 182.16.12.250:81 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | tcp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| HK | 182.16.12.250:53 | mail.whoamis.info | tcp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
Files
memory/3676-0-0x0000000002760000-0x0000000002860000-memory.dmp
memory/3676-1-0x0000000000D00000-0x0000000000D2D000-memory.dmp
memory/3676-2-0x0000000000D00000-0x0000000000D2D000-memory.dmp
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
| MD5 | 89266366e2c712e8b47b2b9ed30d60b7 |
| SHA1 | a94bb0440fe6c0d7a6c102037561ffbe6203a251 |
| SHA256 | f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0 |
| SHA512 | 385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95 |
C:\ProgramData\Microsoft\CryptSvcser\expatai.dll
| MD5 | dd55071ced298687339566cbe9b23c40 |
| SHA1 | 1b5f760daab97658f7c0f7c28db35f10bde761bb |
| SHA256 | ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1 |
| SHA512 | ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8 |
C:\ProgramData\Microsoft\CryptSvcser\update.log
| MD5 | fc5100b1fc7e642bf76fdc3df1846df5 |
| SHA1 | 664d22bc60a7cd08b8ba5aee9f045fa21de719cb |
| SHA256 | 8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77 |
| SHA512 | 46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47 |
memory/892-21-0x00000000027B0000-0x00000000027DD000-memory.dmp
memory/892-23-0x00000000027B0000-0x00000000027DD000-memory.dmp
memory/228-26-0x00000000017A0000-0x00000000017CD000-memory.dmp
memory/228-27-0x00000000017A0000-0x00000000017CD000-memory.dmp
memory/4228-28-0x0000000000910000-0x0000000000911000-memory.dmp
memory/4228-29-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-30-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-40-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/4228-41-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-42-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-43-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-44-0x0000000001230000-0x000000000125D000-memory.dmp
memory/4228-48-0x0000000001230000-0x000000000125D000-memory.dmp
memory/228-49-0x00000000017A0000-0x00000000017CD000-memory.dmp
memory/4228-50-0x0000000001230000-0x000000000125D000-memory.dmp
memory/3676-53-0x0000000000D00000-0x0000000000D2D000-memory.dmp
memory/4228-52-0x0000000001230000-0x000000000125D000-memory.dmp
memory/892-54-0x00000000027B0000-0x00000000027DD000-memory.dmp
memory/3664-56-0x0000000000F20000-0x0000000000F4D000-memory.dmp
memory/3664-55-0x0000000000820000-0x0000000000821000-memory.dmp
memory/3664-57-0x0000000000F20000-0x0000000000F4D000-memory.dmp
memory/3664-58-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/3664-59-0x0000000000F20000-0x0000000000F4D000-memory.dmp
memory/3664-60-0x0000000000F20000-0x0000000000F4D000-memory.dmp
memory/3664-61-0x0000000000F20000-0x0000000000F4D000-memory.dmp
memory/4228-62-0x0000000001230000-0x000000000125D000-memory.dmp
memory/3664-63-0x0000000000F20000-0x0000000000F4D000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win7-20231215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2896 wrote to memory of 2424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 236 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 236 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 236 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win7-20231215-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41003400360042003700420038003900460039003900420043003500330036000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 2932
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 209 2832
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| HK | 182.16.12.250:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | tcp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| HK | 182.16.12.250:53 | mail.whoamis.info | tcp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
Files
memory/2932-0-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/2932-1-0x00000000008D0000-0x00000000008FD000-memory.dmp
memory/2932-2-0x00000000008D0000-0x00000000008FD000-memory.dmp
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
| MD5 | 89266366e2c712e8b47b2b9ed30d60b7 |
| SHA1 | a94bb0440fe6c0d7a6c102037561ffbe6203a251 |
| SHA256 | f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0 |
| SHA512 | 385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95 |
C:\ProgramData\Microsoft\CryptSvcser\expatai.dll
| MD5 | dd55071ced298687339566cbe9b23c40 |
| SHA1 | 1b5f760daab97658f7c0f7c28db35f10bde761bb |
| SHA256 | ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1 |
| SHA512 | ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8 |
C:\ProgramData\Microsoft\CryptSvcser\update.log
| MD5 | fc5100b1fc7e642bf76fdc3df1846df5 |
| SHA1 | 664d22bc60a7cd08b8ba5aee9f045fa21de719cb |
| SHA256 | 8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77 |
| SHA512 | 46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47 |
memory/1760-20-0x00000000008A0000-0x00000000008CD000-memory.dmp
memory/1760-21-0x00000000008A0000-0x00000000008CD000-memory.dmp
memory/2884-25-0x0000000000160000-0x000000000018D000-memory.dmp
memory/2884-26-0x0000000000160000-0x000000000018D000-memory.dmp
memory/2832-31-0x00000000000E0000-0x00000000000FB000-memory.dmp
memory/2832-33-0x0000000000100000-0x0000000000102000-memory.dmp
memory/2832-27-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2832-35-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2832-36-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2884-38-0x0000000000160000-0x000000000018D000-memory.dmp
memory/2832-39-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2932-43-0x00000000008D0000-0x00000000008FD000-memory.dmp
memory/2832-50-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2832-51-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2832-52-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2832-53-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2832-54-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2832-57-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2832-58-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/1760-62-0x00000000008A0000-0x00000000008CD000-memory.dmp
memory/2472-69-0x00000000001A0000-0x00000000001CD000-memory.dmp
memory/2472-70-0x00000000001A0000-0x00000000001CD000-memory.dmp
memory/2472-72-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2472-71-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2472-73-0x00000000001A0000-0x00000000001CD000-memory.dmp
memory/2472-74-0x00000000001A0000-0x00000000001CD000-memory.dmp
memory/2472-75-0x00000000001A0000-0x00000000001CD000-memory.dmp
memory/2832-76-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2472-77-0x00000000001F0000-0x000000000021D000-memory.dmp
memory/2472-78-0x00000000001A0000-0x00000000001CD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
| Destination IP | 182.16.12.250 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33004600350037003800370038004600410043003500450033004200310038000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 548
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 209 768
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| N/A | 10.127.255.255:53 | udp | |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | 250.12.16.182.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| HK | 182.16.12.250:81 | mail.whoamis.info | udp |
| HK | 182.16.12.250:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| HK | 182.16.12.250:443 | list.whoamis.info | tcp |
| HK | 182.16.12.250:1900 | list.whoamis.info | tcp |
| US | 8.8.8.8:53 | list.whoamis.info | udp |
| US | 8.8.8.8:53 | poer.whoamis.info | udp |
| HK | 182.16.12.250:1900 | poer.whoamis.info | udp |
| HK | 182.16.12.250:443 | poer.whoamis.info | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.whoamis.info | udp |
| US | 8.8.8.8:53 | www.whoamis.info | udp |
| HK | 182.16.12.250:53 | www.whoamis.info | tcp |
| HK | 182.16.12.250:81 | www.whoamis.info | tcp |
Files
memory/548-0-0x0000000002FC0000-0x00000000030C0000-memory.dmp
memory/548-1-0x00000000030F0000-0x000000000311D000-memory.dmp
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
| MD5 | 89266366e2c712e8b47b2b9ed30d60b7 |
| SHA1 | a94bb0440fe6c0d7a6c102037561ffbe6203a251 |
| SHA256 | f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0 |
| SHA512 | 385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95 |
C:\ProgramData\Microsoft\CryptSvcser\expatai.dll
| MD5 | dd55071ced298687339566cbe9b23c40 |
| SHA1 | 1b5f760daab97658f7c0f7c28db35f10bde761bb |
| SHA256 | ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1 |
| SHA512 | ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8 |
C:\ProgramData\Microsoft\CryptSvcser\update.log
| MD5 | fc5100b1fc7e642bf76fdc3df1846df5 |
| SHA1 | 664d22bc60a7cd08b8ba5aee9f045fa21de719cb |
| SHA256 | 8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77 |
| SHA512 | 46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47 |
memory/3224-22-0x0000000000D00000-0x0000000000D2D000-memory.dmp
memory/4560-26-0x0000000001590000-0x00000000015BD000-memory.dmp
memory/4560-27-0x0000000001590000-0x00000000015BD000-memory.dmp
memory/768-29-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-28-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/768-31-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-30-0x0000000001650000-0x000000000167D000-memory.dmp
memory/548-36-0x00000000030F0000-0x000000000311D000-memory.dmp
memory/768-43-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/768-44-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-45-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-46-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-47-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-50-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-51-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-52-0x0000000001650000-0x000000000167D000-memory.dmp
memory/768-54-0x0000000001650000-0x000000000167D000-memory.dmp
memory/3224-55-0x0000000000D00000-0x0000000000D2D000-memory.dmp
memory/4244-56-0x0000000000840000-0x0000000000841000-memory.dmp
memory/4244-58-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
memory/4244-60-0x0000000000590000-0x0000000000591000-memory.dmp
memory/4244-59-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
memory/4244-61-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
memory/4244-62-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
memory/4244-63-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
memory/768-64-0x0000000001650000-0x000000000167D000-memory.dmp
memory/4244-65-0x0000000000ED0000-0x0000000000EFD000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win10-20240214-en
Max time kernel
130s
Max time network
131s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4056 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4056 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4056 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-18 16:09
Reported
2024-02-18 16:12
Platform
win11-20240214-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1924 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1924 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\expatai.dll,#1